Cybercrime Group TeamPCP Launches CanisterWorm Wiper Attack Against Iranian Systems

In March 2025, a financially motivated cybercrime group known as TeamPCP deployed a worm called 'CanisterWorm' that specifically targets systems in Iran. The worm spreads through poorly secured cloud services and checks whether a system is set to Iran's timezone or uses Farsi as the default language. If the conditions match, the worm wipes data on the infected machine. This attack represents a significant escalation, as TeamPCP has previously focused on data theft and extortion. Below are key questions and detailed answers about this emerging threat.

What is TeamPCP and how did they gain attention?

TeamPCP is a relatively new cybercrime group that emerged in late 2024. They first came to light through financially motivated data theft and extortion operations. Their methods rely on compromising corporate cloud environments using a self-propagating worm that targets exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. After gaining initial access, they move laterally through victim networks to steal authentication credentials and extort victims over Telegram. In January 2025, security firm Flare published a profile highlighting that TeamPCP weaponizes exposed control planes rather than exploiting endpoints, predominantly targeting cloud infrastructure—with Azure and AWS accounting for 97% of compromised servers.

What is the CanisterWorm and how does it work?

CanisterWorm is the malware infrastructure used by TeamPCP to orchestrate their campaigns. The name comes from their use of Internet Computer Protocol (ICP) canisters—a system of tamper-proof, blockchain-based smart contracts. These canisters serve as command and control nodes that are resistant to takedown. The worm spreads automatically by scanning for exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. Once inside a network, CanisterWorm attempts to deploy a wiper payload. The wiper component checks the victim system’s time zone and locale. If it determines the user is in Iran (time zone Asia/Tehran) or has Farsi set as the default language, the worm proceeds to destroy data. If the victim has access to a Kubernetes cluster, it wipes all nodes; otherwise, it wipes the local machine.

What was the Trivy supply chain attack and how is it connected to the Iran wiper?

On March 19, 2025, TeamPCP executed a supply chain attack against Trivy, a vulnerability scanner from Aqua Security. They injected credential-stealing malware into official releases via GitHub Actions. Aqua Security removed the harmful files, but security firm Wiz noted that malicious versions were published that managed to steal SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets from users. The same technical infrastructure used in the Trivy attack was later repurposed to deploy the new wiper payload targeting Iran. Security researcher Charlie Eriksen of Aikido confirmed that the infrastructure utilized ICP canisters, which act as enduring command and control hubs.

How does the wiper component specifically target Iran?

The wiper component is designed to activate only when it detects that the compromised system is located in Iran or uses Farsi as its default language. It checks the system’s time zone (Asia/Tehran) and locale settings. If the conditions match and the victim has access to a Kubernetes cluster, the wiper destroys data on every node in that cluster. If no Kubernetes access is available, the worm wipes data on the local machine. This targeted approach ensures that the attack primarily affects Iranian organizations and individuals, reducing collateral damage in other regions. Charlie Eriksen from Aikido noted that the worm’s behavior is deliberate: it seeks out systems that align with Iran’s geopolitical profile.

Why does Flare describe TeamPCP’s approach as 'industrialized'?

Assaf Morag of Flare explained that TeamPCP’s strength lies not in novel exploits or original malware, but in large-scale automation and integration of well-known attack techniques. The group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform. They turn exposed infrastructure into a self-propagating criminal ecosystem. For example, they automate scanning for misconfigured Docker APIs, Kubernetes clusters, and Redis servers, then use those entry points to deploy worms laterally. This approach allows them to launch attacks quickly and efficiently, targeting a high volume of victims without needing to develop new zero-day vulnerabilities. Their methods are a stark reminder that even common misconfigurations can be weaponized at scale.